XML Signature: How to calculate the digest value?

前端 未结 4 1298
执念已碎
执念已碎 2020-12-23 21:44

I have an XML like this



  
    A
  
  

        
相关标签:
4条回答
  • 2020-12-23 22:05

    I came across this question when attempting to find out the exact same thing. I later worked out how to do it, so figured I'd post the answer here.

    The things that need to happen are:

    • canonicalization
    • create digest value, typically SHA1 (but could be SHA256 amongst others)
    • base64 encode it

    The canonicalization part was fairly simple, as the Java libraries did that for me. What I struggled with was the next bit, the creating of the digest, because I made a fatal error in that the SHA1 digest I generated was the SHA1 in HEX form. SHA1 is 160 bits, so 20 bytes, but if you output these 160 bits in HEX, you get 40 characters. If you then base64 encode that, you get totally the wrong value compared to what should be in the DigestValue.

    Instead, you should generate the SHA1 digest and base64 encode the 20 byte output. Don't try to output the 20 bytes to STDOUT as it's highly unlikely to be readable (which is why people often output the HEX equivalent, since it is readable). Instead, just base64 encode the 20 bytes and that's your DigestValue.

    0 讨论(0)
  • 2020-12-23 22:11

    Is very simple, use openssl in the console:

    openssl dgst -binary -sha1 file | openssl enc -base64

    Done

    0 讨论(0)
  • 2020-12-23 22:14

    This is a JAVA solution which requires the following jars:

    • commons-logging-1.2.jar
    • commons-codec-1.6.jar
    • Saxon-HE-9.4.jar
    • xmlsec-1.3.0.jar

    This solution uses http://www.w3.org/2001/10/xml-exc-c14n# as the canonicalization algorithm, and uses SHA256 as the hashing algorithm and base64 encoding.

    Note: document represents the XML document as a DOM object in JAVA.

    Code sample:

            // create the transformer in order to transform the document from
            // DOM Source as a JAVA document class, into a character stream (StreamResult) of
            // type String writer, in order to be converted to a string later on
            TransformerFactory tf = new net.sf.saxon.TransformerFactoryImpl();
            Transformer transformer = tf.newTransformer();
            transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");
            transformer.setOutputProperty(OutputKeys.METHOD, "xml");
            transformer.setOutputProperty(OutputKeys.ENCODING, "UTF-8");
    
            // create the string writer and transform the document to a character stream
            StringWriter sw = new StringWriter();
            transformer.transform(new DOMSource(document), new StreamResult(sw));
    
            String documentAsString = sw.toString();
    
            // initialize the XML security object, which is necessary to run the apache canonicalization
            com.sun.org.apache.xml.internal.security.Init.init();
    
            // canonicalize the document to a byte array and convert it to string
            Canonicalizer canon = Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
            byte canonXmlBytes[] = canon.canonicalize(documentAsString.getBytes());
            String canonXmlString = new String(canonXmlBytes);
    
            // get instance of the message digest based on the SHA-256 hashing algorithm
            MessageDigest digest = MessageDigest.getInstance("SHA-256");
    
            // call the digest method passing the byte stream on the text, this directly updates the message
            // being digested and perform the hashing
            byte[] hash = digest.digest(canonXmlString.getBytes(StandardCharsets.UTF_8));
    
            // encode the endresult byte hash
            byte[] encodedBytes = Base64.encodeBase64(hash);
    
            return new String(encodedBytes);
    
    0 讨论(0)
  • 2020-12-23 22:15

    I have encountered exactly this problem myself: I was generating an XML signature in Java & validating in .NET, and the validation always failed. In my case the cause was the 'print XML to file' function XMLWrite.m (yes, in MATLAB*) which was 'pretty printing' the XML, inserting tabs, spaces, and newlines as it saw fit. Since these are part of the document, naturally the validation failed (it failed in Java, too). Looking at your source, this may be happening to you. Use a Transformer (javax.xml.transform.*) to serialise your DOM properly without changing the content.

    *You did know that MATLAB understands Java as well? You can just type Java statements into the interpreter console & they will be executed like native m-code.

    0 讨论(0)
提交回复
热议问题